RP-03 - Consolidated DDL And Expected Constraints

Status: RESOLVED_BLOCKING

Normative Creation Order

1. Roles, schema, domains.
2. code_catalog_set, code_catalog_family, code_catalog_item.
3. manifest_set, manifest_item_envelope.
4. The 27 child contracts in dependency order, with the four forward child FKs deferred.
5. operator_operand_compatibility.
6. evidence_registry, human_identity_registry, principal_registry, analyzer_run, manifest_activation.
7. The 11 non-authority runtime-evidence tables.
8. All deferred constraints below.
9. Owner/ACL/default-privilege/immutable-trigger setup.
10. Constraint/object exact-set verification, then seal/activate only if every check passes.

Complete Deferred Constraint Groups

1. Four child forward FKs: policy-rule/operator; metric/unit; capability/workload; signoff/tier.
2. Dependency runtime FKs: analyzer-run and evidence.
3. Manifest FKs: creator, sealed activation, activated activation, envelope retirement evidence.
4. Evidence/identity cycle FKs: evidence issuer; human identity evidence; principal binding evidence.
5. Catalog root retirement-evidence FK.

Every runtime-evidence FK is inline because its referenced anchor/child exists before group 7. All constraints use RESTRICT/RESTRICT/NOT DEFERRABLE.

Expected Constraint Model In Counted Surface #20

Codex rejects a free-form expected-constraint JSON payload. Instead:

• each TABLE row in authority_scope_manifest has expected_constraint_set_sha256;
• each expected CONSTRAINT/INDEX is its own typed #20 row with canonical object_identity, parent_object_identity, object_type, and expected_definition_sha256;
• the TABLE set hash is the canonical total-order hash of its child constraint/index rows.

The realized snapshot comes from PG16 pg_constraint and pg_index, canonicalized under CP-06. Expected vs realized rows and hashes compare in both EXCEPT directions. Missing/extra/changed authority-relevant constraints fail OBJECT_AUTHORITY_IMMUTABLE. Dropping any deferred FK in rehearsal must produce that failure.

Authority-affecting classes are every PK, UNIQUE, FK, CHECK, exclusion constraint, expression/ partial index, and every index used by a sealed readiness, uniqueness, authority, or write-path contract. An unknown extra authority-affecting constraint/index always fails.

There is no runtime BENIGN_EXTRA_INDEX exemption. Every extra index, including a plain performance index believed benign, fails OBJECT_AUTHORITY_IMMUTABLE. To permit such an index, a new candidate manifest version must add its typed #20 INDEX row and exact definition hash to the expected set, pass review/seal/quorum, and activate before the index may exist; after that it is expected, not extra. Operator labels, names, patterns, source-code allowlists, and ad-hoc judgment cannot exempt an index. This creates no new authority surface or hidden exception path.

Reversal is the exact reverse order and may drop only empty candidate-only objects. Active/history objects are never dropped.